Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is Index Based RBAC not working?

HaydenMc
New Member
‎08-15-2022 04:44 PM

Hey all,

Working on creating some access control based on indices and running into a weird issue. When I create a custom role and grant this role all capabilities (with no role inheritance) to the specified index, I'm not able to search data inside that index. However if I create said custom role inheriting the user role, but with the exact same capabilities it then it lets me search. 

I've also cloned the user role and appended the index permissions to suit my needs but experiencing the exact same issue, the cloned role has no access to the allowed indices but the second I inherit the user role it seems to work again.

This behaviour is only found on our dedicated search heads. When I enable the web ui and replicate on indexers it works as expected with the custom role searching assigned indices. 

Splunk Enterprise Version: 9.0.0.1

 

Any help would be appreciated!!!

Thanks guys

 

 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-16-2022 12:20 AM

Hi @HaydenMc,

are you sure that flagged the "Included" box option for your index in the Role definition page?

gcusello_0-1660634412145.png

Ciao.

Giuseppe

 

0 Karma
Reply

HaydenMc
New Member
‎08-16-2022 04:11 PM

Hi @gcusello,

Thanks for the reply. Yes can confirm the included box has been ticked. Just for testing I've cloned the out of box user role with everything including the accessible indexes and I am experiencing the exact same issue. Any user assigned this cloned role has no access, but any user assigned the user role (the role that I cloned), it works as expected. It's almost like the out of the box user role is somehow different to the cloned role I've created.

 

Thanks

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-17-2022 01:27 PM

Those access issues are quite hard to solve with GUI. I usually use some separate app which can told how splunk has expanded those roles. Here is one which you could install and test in your (test) environment https://splunkbase.splunk.com/app/4111/#/details

r. Ismo

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-17-2022 12:15 AM

Hi @HaydenMc,

As I said, I never experienced this behavior and I used this feature many times but never with the last Splunk Version.

I hint to open a ticket to Splunk Support, it could be a bug.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...